Hit and Run: New twist in Cardinals' hack; All-Star votes get tossed; more

In today's tech-centric edition of Hit and Run, Jay Jaffe looks at a new twist in the Cardinals' hack of the Astros, the issues with MLB's online All-Star vote, and Pablo Sandoval's Instagram faux pas.
Publish date:

Computers are ubiquitous, a part of everyday life whose power we often fail to appreciate. The phone on which you may be reading SI.com during your commute has orders of magnitude more power than the guidance system that NASA used to put two astronauts on the moon in 1969. Even as portable and desktop devices have made their way further into baseball—from spreadsheet-driven–front-office decisions to the ability of subscribers to stream video of every game—it's tough to top this week's confluence of computer-related shenanigans involving players, teams and fans.

1. Once more unto the Ground Control breach

In the three days since TheNew York Times' Michael S. Schmidt broke the news of an FBI investigation into the illegal access of the Astros' Ground Control database by several front-office employees of the Cardinals, the story has advanced on several fronts via additional reports that suggest it was a more sophisticated breach than initially believed.

Cardinals' hacking into Astros' database is worse than Deflategate

On Thursday, the Houston Chronicle's Evan Drelich reported that the Cardinals' unauthorized access to the Astros' database—which contains statistics, scouting information, and internal notes on trade discussions with other teams—stretches as far back as 2012, during Jeff Luhnow's first season as Houston’s general manager following his five years in St. Louis as the vice president of scouting and player development. While the FBI began its investigation after the '14 breach that led to the publication of the team's internal notes on trade discussions, it is now believed that four or five Cardinals employees are under investigation for breaches in '12 and '13 as well as last year, some of which have been traced to a house in Jupiter, Florida, near the team’s spring training facilities.

In his first public comments since news of the investigation broke, Luhnow told SI's Ben Reiter that the access wasn't simply a result of his former office-mates using old passwords, citing his experience in the technology industry before entering baseball. "I absolutely know about password hygiene and best practices," Luhnow said. "I’m certainly aware of how important passwords are, as well as of the importance of keeping them updated. A lot of my job in baseball, as it was in high tech, is to make sure that intellectual property is protected. I take that seriously and hold myself and those who work for me to a very high standard.”

• CHEN: Quiet Francisco Cervelli is unheralded MVP of Pirates

Bolstering that claim and the notion that this was not some random, unsophisticated attack is a report from the Wall Street Journal's Brian Costa that one of the breaches was traced to a house near Indianapolis whose occupants were participants in a network called Tor (for "the onion router"), which is used to make users and their online behavior anonymous. Wrote Costa, "The use of Tor in the Astros case suggests that someone in at least one of the incidents went through the effort of trying to cover their tracks, but were only partly successful."

Source offers possible motivation for Cardinals hacking Astros' system

Via Reiter, Luhnow also refuted the idea that he had taken intellectual property from the Cardinals, for whom he created a similar database called Redbird: "I’m very aware of intellectual property and the agreements I signed. I didn’t take anything, any proprietary information. Nor have we ever received any inquiries from anybody that even suggested that we had.”

Thus far, no reports have implicated Cardinals general manager John Mozeliak or chairman Bill DeWitt Jr. as having known about the hacking or acting to cover it up. Speaking publicly for the first time since the Times report, DeWitt told the St. Louis Post-Dispatch's Robert Patrick that the Cardinals had no knowledge of the violations until the FBI launched its investigation. He said the team has been "very cooperative with the investigation," turning over "lots of material," and that the hacking was an "illegal act" that was part of "roguish behavior" but "certainly a needle in the haystack when it comes to the scope of our operation." The team has launched its own investigation into the matter, and DeWitt has vowed to dismiss anyone connected to the illegal access.

Both Luhnow and DeWitt have dismissed the value of the Astros’ trade dialogues and scouting reports to each others’ teams because such information would quickly become outdated. However, Peter Gammons spoke to one unnamed GM who cited the access to daily medical records, prospect reports and preference lists as valuable information that could potentially be put to use once acquired. That’s in theory, but in practice, the Cardinals and Astros have completed only one trade since Luhnow’s move: in August 2012, St. Louis sent infielder Tyler Greene to Houston via a conditional deal involving either cash or a player to be named later. Greene was below replacement level for both teams that year (-0.4 WAR in 77 games for the Cardinals, -0.1 in 39 games for the Astros), and was released the following spring, with no other player changing hands, suggesting that the trade was completed using cash.

Commissioner Rob Manfred isn't expected to rule on the matter until the FBI completes its investigation, which could result in criminal prosecution under the broad Computer Fraud and Abuse Act. Via Drelich:

The commissioner’s power to punish ranges from issuing a reprimand; barring a club from major league meetings; suspending or removing any team owner, officer or employee; levying a fine that can’t exceed $2,000,000 in the case of a club, and no more than $500,000 in the case of an owner, officer or employee. The commissioner too can take away the benefit of any or all major league rules—which include, notably, the Rule 4 and 5 drafts. The Rule 4 draft is better known as the amateur draft. The rules too allow for other unspecified, punishments as the commissioner sees fit.

While Drelich spoke to a legal expert who believes that the Astros may have grounds for a civil suit based on the theft of trade secrets, MLB rules prohibit teams from suing one another. Even so, we clearly haven't heard the last of this story.

• WATCH: How FBI and MLB could punish Cardinals for Astros hack

Mike Moustakas of the Royals leads all American League third baseman in All-Star Game fan voting.

Mike Moustakas of the Royals leads all American League third baseman in All-Star Game fan voting.

2. Hack the vote!

In MLB's first year of online-only voting, the story thus far has been the dominance of the defending AL champion Royals, whose players lead the balloting at eight out of nine positions, including second base, where Omar Infante is on top despite struggling to a .228/.236/.311 line. Mike Trout is the only non-Royal who would start, based on this week's totals.

While that showing may be based upon rabid Royals fans simply exercising their right to vote up to 35 times per email address, MLB Advanced Media CEO Bob Bowman told Yahoo Sports' Jeff Passan that the league has disallowed millions of votes (out of what's expected to be a final count of around a half-billion) over concerns of improper voting:

"I'm not saying we bat 1.000," Bowman said. "But it's between 60 and 65 million votes that have been canceled. We don't really trumpet it because if someone thinks they're getting away with it, they'll try to again."

Thirty-five of those votes belonged to the email address of Yahoo Sports blogger Mike Osegueda, who received a verification email for ballots he didn't cast.

The Sporting News'Jesse Spector and SB Nation's Alex Hall have similarly reported receiving verification of their email addresses being used to vote, though both claim not to have cast any ballots thus far.

Fixing the AL's All-Royals All-Star team: Vote for these players instead

As reported by WTOP's Noah Frank and SB Nation's HookSlide of the Tigers-themed Bless You Boys blog, it's not too difficult for somebody with a bit of programming acumen to write a script that exploits the holes in the voting system. Frank cited a conversation with Ken Colburn of WTOP's Data Doctors, who told him, "The possibility of an automated script exists precisely because the validation process isn’t there.” And while MLB claims to have safeguards in place with regards to recognizing irregularities, “spoofing the IP address is not that difficult for people who are very tactical … There are certainly ways to get past the security system.”

HookSlide wrote that because of the lack of a confirmation email or input of a verification code when casting ballots, it's possible to use any address to trigger the 35-vote maximum:

With a basic knowledge of HTML, a bit of Javascript, and a few minutes to play around, I was able to exploit MLB's All-Star voting system quite easily.

…[I]t was a simple matter of using Google Chrome's built-in network traffic monitor to discover that all of the voting selections are being sent via URL, attached to a request for an image that is 1x1 and white. It's so small you'd never see it, but it's there, and embedding that image effectively casts another ballot.

…I've embedded that image somewhere in this post, by the way, so by the time you've read this far, that image has loaded and you've already cast another ballot for my specific All Star player picks. Thank you for your support.

Feel safer yet? It's unclear yet how many of the 60–65 million votes cited by Bowman have already been thrown out, or the impact that further irregularities could have, particularly on the Royal-blue slate. Suffice it to say that even beyond the inherent contradiction of the All-Star Game—an exhibition whose primary participants are determined by fans, yet one that is supposed to determine home-field advantage for the game’s greatest prize—the system needs a significant overhaul. Manfred may have to weigh in even before reconsidering the structure of next year’s selection process.

• CORCORAN: Billy Burns takes AL lead in latest look at ROY race


3. The Sox don’t “like” this Pandagram

Signed to a five-year, $95 million deal last November, Pablo Sandoval hasn't exactly been a hit in Boston, but even given the possibility of his signing going sour, nobody could have foreseen the benching that the 28-year-old third baseman received on Thursday. Earlier that day, it was discovered that he had been on Instagram during Wednesday night's game, thereby violating both league rules and team policy with regards to the use of electronic devices. Manager John Farrell and general manager Ben Cherington met with Sandoval prior to Thursday's game, then mandated that he ride the pine during the team's 5–2 win over the Braves.

Via the timestamps on his Instagram account, Sandoval was initially discovered by the Barstool Sports website to have "liked" two photos of female user @diva_legacy during Wednesday night's loss. According to the Boston Globe's Pete Abraham, Sandoval accessed Instagram during the seventh inning, when he went into the clubhouse to use the bathroom and "grabbed his phone out of habit," though "he claimed never to have done it before."

Aside from his questionable hygiene, Sandoval ran afoul on multiple fronts. Again via Abraham:

The Red Sox have a team rule requiring cellphones, tablets, and other devices be shut off 30 minutes before first pitch. Major League Baseball has a similar rule, and spokesman Mike Teevan said Sandoval’s actions are under review.

MLB’s on-field operations regulations mandate that players are prohibited from using devices within 30 minutes of the start of a game. Sandoval is not considered in violation of MLB’s social media policy because he did not post any messages.

Sandoval was not fined by the Red Sox, though in addition to the benching, he did have to apologize to his teammates in what must have been a humbling conversation. He could still be fined or perhaps suspended by the league. Back in 2011, White Sox manager Ozzie Guillen was suspended two games and fined $20,000 for tweeting during a game in which he had been ejected.

Nolan Arenado has a hot corner style all his own but gets golden results

While this incident doesn't appear to be as serious as Guillen's, since Sandoval didn't "say" anything that could get him into hotter water, his mid-game mental perambulation does stir up memories of Red Sox players mentally checking out of during the team's late-2011 collapse. As the Globe reported in October of that year, pitchers Josh Beckett, John Lackey and Jon Lester routinely ate fried chicken, drank beer and played video games in the clubhouse during games that they weren't starting. Their conduct fed the perception that manager Terry Francona had lost control of the team; he and the Red Sox parted ways after the season.

Even if Sandoval escapes further discipline, this is a bad look. For a player who spent much of the offseason carping about how the Giants didn’t properly respect him as he approached free agency, Sandoval’s own lack of respect for his teammates and manager has given the team a black eye at a time when the Red Sox are currently 10 games under .500 (29–39) with the league's second-worst record and run differential (-57).

Even with a streak of five straight two-hit games and a 14-for-31 run dating back to June 10, Sandoval is batting a tepid .270/.323/.409 for a 103 OPS+—19 points below his career mark—with defense that rates at 10 runs below average according to both Defensive Runs Saved and Ultimate Zone rating. Perhaps he should put down his phone and pick up his game. It’s already too late for him to heed the suggestion of ESPN’s Keith Olbermann, who suggested to me during a spot on Thursday’s edition of The Olbermann Show that he claim his phone was hacked by the Cardinals. Speaking of which...